tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/4012-using-autologin-in-web-ui-with-struts2-login-formArachni: Discussion 2016-08-08T10:00:53Ztag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-13T14:20:54Z2016-05-13T14:20:54ZUsing autologin in web UI with Struts2 login form<div><p>That could very well be the cause, that would put a stress on
both Arachni and the server.<br>
You could try lowering the HTTP request concurrency and the amount
of browsers as well as HTTP and browser job timeouts to decrease
the stress but it would take a long time for the scan to
complete.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T08:16:38Z2016-05-17T08:16:38ZUsing autologin in web UI with Struts2 login form<div><p>I just ran Arachni for another 2 hours, and the earlier problem
where that "0 usable code paths" message shows and sticks around
happened again. However, I think it is related to session timeouts,
because I configured my Tomcat to timeout after 2 hours (120
minutes), which coincides exactly with this message. I was using
the nightly build from last Friday for this test, the 2.0dev-1.0dev
build.</p>
<p>I have done an interrupt (control-C) because last time it didn't
get past the "0 usable code paths" message, and now it just shows
the message "Aborting... Please wait while the system cleans up"
without any other messages before or after that. is this supposed
to take very long, this cleanup? Or is it crashing on that as
well?</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T08:19:12Z2016-05-17T08:19:12ZUsing autologin in web UI with Struts2 login form<div><p>I can't think of a reason why a timed-out session would cause
this.<br>
Is there any chance I can run a scan against that webapp?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T08:32:52Z2016-05-17T08:32:52ZUsing autologin in web UI with Struts2 login form<div><p>You can download a trial version of our software (unlimited use
for 30 days) at <a href="http://www.ikanalm.com/download.html">http://www.ikanalm.com/download.html</a>
which you can install and run locally. You will have to create an
account to download it, unfortunately. I hope that's not a problem.
We don't ask for credit card details and our passwords are properly
secured.</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T09:52:02Z2016-05-17T09:52:02ZUsing autologin in web UI with Struts2 login form<div><p>I forgot to mention that I had to tweak the command quite a lot
for it to work through trial and error. This is the command I'm
currently using, with alm.rb attached:</p>
<pre>
<code>arachni http://ikan032:8080/alm/desktop.action --audit-exclude-vector=Oid --audit-exclude-vector=oid --audit-exclude-vector=browserID --audit-exclude-vector=JSESSIONID --browser-cluster-pool-size=4 --browser-cluster-ignore-images --checks=*,-common_*,-backup_*,-backdoors --scope-exclude-pattern=logout --scope-exclude-pattern=index --scope-exclude-pattern=housekeeping --scope-exclude-pattern=License --scope-exclude-pattern=login --scope-include-pattern=\.action --scope-include-pattern=\.do --http-request-concurrency=12 --platforms=windows,mysql,java,tomcat --plugin=login_script:script=alm.rb --report-save-path=alm.com.afr</code>
</pre>
<p>You'll have to adapt the command to point to your local ALM
instance, mainly the domain name and the platform (the ALM demo
version uses HSQLDB, not MySQL like my development environment
does).</p>
<p>The reasons I think this is related to Tomcat timing out are: 1.
the message coincides with the moment when the Arachni session
should have timed out according to web.xml; 2. Because of the
excluded patterns, there are no remaining code paths for Arachni to
try on the Login page, which is exactly the error I'm getting.</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T10:49:21Z2016-05-17T10:49:21ZUsing autologin in web UI with Struts2 login form<div><p>The message you're seeing isn't an error, just letting you know
that that particular page has no new paths that are within
scope.<br>
If all the workload was exhausted the system should have exited
with a report, under no circumstances is the behavior you're seeing
acceptable.</p>
<p>I'll have a look at it myself, in the meantime you can try
enabling <code>--output-debug=3</code> to see what's going on.<br>
You can also set it during runtime by pressing <code>Enter</code>
and then <code>d3</code> and then <code>Enter</code>.<br>
You can do that when the system looks stuck and it'll show if
something else is going on in the background.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T11:33:28Z2016-05-17T11:33:28ZUsing autologin in web UI with Struts2 login form<div><p>I am running a modified command with that output statement, plus
auto-redundant configured to 2 and most dropdown inputs
excluded.</p>
<p>I have also had the scan stop a few times in a similar fashion
where it shows 2/3 of the html of a page with after the final tag
something about @taint and then a javascript snippet attached to
window.top, which is probably related to <a href="http://www.arachni-scanner.com/blog/arachnibrowser-js-data-flow-taint-tracing/">
http://www.arachni-scanner.com/blog/arachnibrowser-js-data-flow-tai...</a>.
I don't see the Dojo framework mentioned on that page, which is
what we use.</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-17T11:35:10Z2016-05-17T11:35:10ZUsing autologin in web UI with Struts2 login form<div><p>Does CPU utilization spike during those freezes?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-18T06:31:08Z2016-05-18T06:31:08ZUsing autologin in web UI with Struts2 login form<div><p>Pressing Enter during runtime does not do anything on my
machine. It just keeps going.</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-18T07:46:59Z2016-05-18T07:46:59ZUsing autologin in web UI with Struts2 login form<div><p>You must be on MS Windows, the command screen isn't available
there, you'll need to specify it at the beginning of the scan.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-18T12:34:06Z2016-05-18T12:34:06ZUsing autologin in web UI with Struts2 login form<div><p>I have ran arachni overnight, but Tomcat ran out of memory, but
that might be related to the computer unexpectedly locking
itself.</p>
<p>Then, today, I started another run at 10:17 using debug=3
output, which went well, until at 13:06, the final message appeared
on my screen, a debug message about a Browser job that timed out,
right after that same browser job got created. I've considered
piping the debug output into a text file so I might be able to
upload it, but after only a few minutes it was already 8 MB big, so
that's not an option for a command that has to run for several
hours.</p>
<p>I've already gotten quite a bit of useful information, but
because it keeps breaking, I haven't yet been able to complete a
full scan. Is there any more advice you could give me?</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-18T12:37:53Z2016-05-18T12:37:53ZUsing autologin in web UI with Struts2 login form<div><p>Rerouting to a file it is your best bet, it'll probably grow to
GBs but you can <code>tail</code> it from a *nix box (unless
Windows has something similar to <code>tail</code>) to inspect the
last messages, which will be the interesting ones anyways.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-05-19T07:50:11Z2016-05-19T07:58:31ZUsing autologin in web UI with Struts2 login form<div><p>So another update since the last update:</p>
<p>I ran Arachni for another 6 hours yesterday and again, it didn't
finish properly. At around 20:08:35 last night, it downloaded the
last page, then halted again. I attached the relevant chunk from
the debug output file (which was 2.7 GB after control-C ending the
scan). apparently, it halted on another "0 unusable paths" page
(line 677 413).</p>
<p>I ran into another problem, though. After ending the scan and
forcing Arachni to generate a report, it found 173 issues in total
according to the debugoutput. However, when generating a html file
from the attached report, it only generated a report with 73
issues. The generated alm.html.zip file also was smaller than the
alm.com.afr (2.5 MB vs 1.7 MB). I really hope the .afr file isn't
corrupted in some way. I was wondering if you could check if it
generates a proper .html.zip file with 173 issues on your end, as
indicated by the CLI output when generating the report.</p>
<p>Actually, scratch that last one. I forgot to add -- before the
reporter param, so it just reported what was in the report.</p></div>nate.kerkhofstag:support.arachni-scanner.com,2012-07-01:Comment/398553132016-08-08T10:00:39Z2016-08-08T10:00:53ZUsing autologin in web UI with Struts2 login form<div><p>The fix should be available in the latest <a href="http://downloads.arachni-scanner.com/nightlies/">nightlies</a>.<br>
If it doesn't work for you feel free to re-open this
discussion.</p></div>Tasos Laskos